Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 02:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe
-
Size
156KB
-
MD5
4a3d79e52138f083fd9f14f0764d3d89
-
SHA1
9907953fcd29bab38fd2fb284be291c19ccbf8c3
-
SHA256
b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484
-
SHA512
70e43593723eb5eb3157eea8aacbc6a0083721608c3345ec6b48bbbf61ef77b490234fbe5f67eecff7e488e1affa22ff3bdcecb9817ca2adf632acc034f0d9af
-
SSDEEP
3072:9JJF7r8CDslnG1NPJ9IDlRxyhTbhgu+tAcrbFAJc+RsUiM:9h1Dr1NPsDshsrtMsC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnlqemal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaahgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dibjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmofbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnelefl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkqmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pngcnpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghkepdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafbmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehqme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hopgikop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnelefl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnicddki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgffck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhaobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgfjjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgchjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlmacfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfedhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjomoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aocgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Echoepmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imcaijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmobpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddqeodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edhkpcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefhpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgcdmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjiik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omonmpcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompgqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmjmenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blcmbmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebjfiboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnlog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnoll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijjgegh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnmhajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eabeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iijbnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchadifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpjnahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbgcdmjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goekpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faljqcmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpdpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfhqmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdekigip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiniaboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncejcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhopcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbgakd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2396 Afkccffq.exe 2416 Aocgll32.exe 2772 Adbmjbif.exe 2736 Aqljdclg.exe 2756 Bfkobj32.exe 2640 Beplcfmd.exe 1748 Bgqeea32.exe 1404 Bgcbja32.exe 2688 Cnogmk32.exe 1296 Cghkepdm.exe 2804 Cpcpjbah.exe 1240 Cpgieb32.exe 1772 Dibjcg32.exe 2392 Dhggdcgh.exe 1152 Ddqeodjj.exe 1948 Dpgedepn.exe 2492 Echoepmo.exe 1696 Edhkpcdb.exe 1356 Ehjqif32.exe 928 Eabeal32.exe 1788 Fhnjdfcl.exe 1336 Fdekigip.exe 2700 Fakhhk32.exe 1864 Fghppa32.exe 1492 Gcankb32.exe 2372 Gmjbchnq.exe 2264 Gmnlog32.exe 1688 Gnbelong.exe 1700 Hgjieedg.exe 2812 Hcajjf32.exe 2840 Imcaijia.exe 2672 Iijbnkne.exe 1268 Ihooog32.exe 2412 Idepdhia.exe 2952 Ieelnkpd.exe 1644 Jdjioh32.exe 2160 Jmbnhm32.exe 1764 Jiinmnaa.exe 2988 Jgmofbpk.exe 2252 Jgpklb32.exe 2056 Kokppd32.exe 1992 Kloqiijm.exe 1008 Kkdnke32.exe 1848 Kkfjpemb.exe 1516 Kdooij32.exe 324 Kkigfdjo.exe 960 Kpeonkig.exe 2024 Lfedlb32.exe 2076 Lpjiik32.exe 2300 Lhenmm32.exe 2748 Lbnbfb32.exe 2828 Lobbpg32.exe 2844 Ldokhn32.exe 2864 Lodoefed.exe 2684 Mhlcnl32.exe 2788 Mbehgabe.exe 2280 Mhopcl32.exe 624 Mnlilb32.exe 856 Mchadifq.exe 684 Mmafmo32.exe 2984 Mgfjjh32.exe 2404 Mcmkoi32.exe 2976 Mjgclcjh.exe 1004 Nbbhpegc.exe -
Loads dropped DLL 64 IoCs
pid Process 2296 b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe 2296 b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe 2396 Afkccffq.exe 2396 Afkccffq.exe 2416 Aocgll32.exe 2416 Aocgll32.exe 2772 Adbmjbif.exe 2772 Adbmjbif.exe 2736 Aqljdclg.exe 2736 Aqljdclg.exe 2756 Bfkobj32.exe 2756 Bfkobj32.exe 2640 Beplcfmd.exe 2640 Beplcfmd.exe 1748 Bgqeea32.exe 1748 Bgqeea32.exe 1404 Bgcbja32.exe 1404 Bgcbja32.exe 2688 Cnogmk32.exe 2688 Cnogmk32.exe 1296 Cghkepdm.exe 1296 Cghkepdm.exe 2804 Cpcpjbah.exe 2804 Cpcpjbah.exe 1240 Cpgieb32.exe 1240 Cpgieb32.exe 1772 Dibjcg32.exe 1772 Dibjcg32.exe 2392 Dhggdcgh.exe 2392 Dhggdcgh.exe 1152 Ddqeodjj.exe 1152 Ddqeodjj.exe 1948 Dpgedepn.exe 1948 Dpgedepn.exe 2492 Echoepmo.exe 2492 Echoepmo.exe 1696 Edhkpcdb.exe 1696 Edhkpcdb.exe 1356 Ehjqif32.exe 1356 Ehjqif32.exe 928 Eabeal32.exe 928 Eabeal32.exe 1788 Fhnjdfcl.exe 1788 Fhnjdfcl.exe 1336 Fdekigip.exe 1336 Fdekigip.exe 2700 Fakhhk32.exe 2700 Fakhhk32.exe 1864 Fghppa32.exe 1864 Fghppa32.exe 1492 Gcankb32.exe 1492 Gcankb32.exe 2372 Gmjbchnq.exe 2372 Gmjbchnq.exe 2264 Gmnlog32.exe 2264 Gmnlog32.exe 1688 Gnbelong.exe 1688 Gnbelong.exe 1700 Hgjieedg.exe 1700 Hgjieedg.exe 2812 Hcajjf32.exe 2812 Hcajjf32.exe 2840 Imcaijia.exe 2840 Imcaijia.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Flbehbqm.exe Fehmlh32.exe File created C:\Windows\SysWOW64\Pddlggin.exe Pngcnpkg.exe File created C:\Windows\SysWOW64\Ipllldmi.dll Jdjioh32.exe File opened for modification C:\Windows\SysWOW64\Ngcbie32.exe Nmnoll32.exe File opened for modification C:\Windows\SysWOW64\Ppgfciee.exe Pdqfnhpa.exe File created C:\Windows\SysWOW64\Kpmmpiog.dll Bgfdjfkh.exe File created C:\Windows\SysWOW64\Gnaaicgh.dll Gegbpe32.exe File created C:\Windows\SysWOW64\Mcegqmpg.dll Mchadifq.exe File created C:\Windows\SysWOW64\Qkbkfh32.exe Qnoklc32.exe File created C:\Windows\SysWOW64\Lbaefjef.dll Cfghagio.exe File opened for modification C:\Windows\SysWOW64\Dahobdpe.exe Clkfjman.exe File opened for modification C:\Windows\SysWOW64\Dnjeoa32.exe Cdbqflae.exe File created C:\Windows\SysWOW64\Gbjncbgq.dll Dnonjqdq.exe File opened for modification C:\Windows\SysWOW64\Lpjiik32.exe Lfedlb32.exe File created C:\Windows\SysWOW64\Agpqhl32.dll Dfgdpj32.exe File opened for modification C:\Windows\SysWOW64\Ekeiel32.exe Eehqme32.exe File created C:\Windows\SysWOW64\Kennjb32.dll Aodqok32.exe File created C:\Windows\SysWOW64\Iohcpqfg.dll Jbooen32.exe File created C:\Windows\SysWOW64\Iofledji.dll Odgchjhl.exe File opened for modification C:\Windows\SysWOW64\Dpmeij32.exe Degqka32.exe File created C:\Windows\SysWOW64\Lobbpg32.exe Lbnbfb32.exe File created C:\Windows\SysWOW64\Fabkfhch.dll Mnlilb32.exe File created C:\Windows\SysWOW64\Nalnmahf.exe Nhdjdk32.exe File created C:\Windows\SysWOW64\Ppmkilbp.exe Omonmpcm.exe File opened for modification C:\Windows\SysWOW64\Fgffck32.exe Feeilbhg.exe File opened for modification C:\Windows\SysWOW64\Efaiobkc.exe Emieflec.exe File opened for modification C:\Windows\SysWOW64\Meafpibb.exe Mhmfgdch.exe File created C:\Windows\SysWOW64\Glfijb32.dll Mgjpcf32.exe File created C:\Windows\SysWOW64\Chmpml32.dll Pjchjcmf.exe File opened for modification C:\Windows\SysWOW64\Kkiiom32.exe Kaaeegkc.exe File created C:\Windows\SysWOW64\Mlqncf32.dll Lkkfdmpq.exe File created C:\Windows\SysWOW64\Hagebp32.dll Hfookk32.exe File opened for modification C:\Windows\SysWOW64\Pfaopc32.exe Ppgfciee.exe File created C:\Windows\SysWOW64\Aadbfp32.exe Ahlnmjkf.exe File opened for modification C:\Windows\SysWOW64\Eeijpdbd.exe Dghjmlnm.exe File created C:\Windows\SysWOW64\Fhnjdfcl.exe Eabeal32.exe File created C:\Windows\SysWOW64\Idepdhia.exe Ihooog32.exe File created C:\Windows\SysWOW64\Oiniaboi.exe Odaqikaa.exe File created C:\Windows\SysWOW64\Pajbdm32.dll Ehpgha32.exe File created C:\Windows\SysWOW64\Pmoqfi32.exe Obilip32.exe File created C:\Windows\SysWOW64\Jkpfcnoe.exe Jajbfeop.exe File created C:\Windows\SysWOW64\Adkbiook.dll Peooek32.exe File created C:\Windows\SysWOW64\Enjqaegh.dll Efaiobkc.exe File created C:\Windows\SysWOW64\Nkikgn32.dll Bgcbja32.exe File created C:\Windows\SysWOW64\Nagbnnje.dll Mhopcl32.exe File created C:\Windows\SysWOW64\Qpocno32.exe Qkbkfh32.exe File created C:\Windows\SysWOW64\Nbaafocg.exe Nkhhie32.exe File opened for modification C:\Windows\SysWOW64\Jajbfeop.exe Iecaad32.exe File created C:\Windows\SysWOW64\Qfedhb32.exe Pmmppm32.exe File created C:\Windows\SysWOW64\Kneacffj.dll Imcaijia.exe File created C:\Windows\SysWOW64\Mlnbmikh.exe Mlkegimk.exe File created C:\Windows\SysWOW64\Bgfdjfkh.exe Aefhpc32.exe File created C:\Windows\SysWOW64\Ginefe32.exe Gohqhl32.exe File opened for modification C:\Windows\SysWOW64\Nhdjdk32.exe Nbgakd32.exe File created C:\Windows\SysWOW64\Mkniao32.dll Kkiiom32.exe File opened for modification C:\Windows\SysWOW64\Oblmom32.exe Ngfhbd32.exe File opened for modification C:\Windows\SysWOW64\Pnbjca32.exe Pifakj32.exe File created C:\Windows\SysWOW64\Ahlodfln.dll Bfkobj32.exe File created C:\Windows\SysWOW64\Pfaopc32.exe Ppgfciee.exe File opened for modification C:\Windows\SysWOW64\Cqqbgoba.exe Cghmni32.exe File created C:\Windows\SysWOW64\Aflkiapg.exe Amcfpl32.exe File opened for modification C:\Windows\SysWOW64\Dfbdje32.exe Cmjoaofc.exe File opened for modification C:\Windows\SysWOW64\Iecaad32.exe Iofiimkd.exe File created C:\Windows\SysWOW64\Kpkocpjj.exe Knkbimbg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2640 4696 WerFault.exe 378 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adekhkng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkklflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbjca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkbkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknhjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joepjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgedepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmgbbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfdpckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjbaooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoqfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibbqmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalnmahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodqok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefhpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjeoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciknhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkegimk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahlnmjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdieaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbhmehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqkqbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbafel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcajjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfghagio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbgghhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcfenn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibnodj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmdff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obilip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhkpcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohqbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdkdffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hopgikop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peooek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiphmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldangbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihifhoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejeknelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkndldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjgkmqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilmkffb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajbfeop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhaobd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeilbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkiiom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnbmikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgchjhl.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlbhlf32.dll" Blcmbmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmigi32.dll" Jilmkffb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjfiboe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoodlbd.dll" Cfekkgla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omonmpcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehjqif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklgei32.dll" Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjbbnaj.dll" Dijjgegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknmke32.dll" Elpldp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aocgll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cilfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackoccaa.dll" Dmfhqmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlopimho.dll" Afkccffq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfadoaih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdqfnhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfjme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lenapcbd.dll" Nbgakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdqnp32.dll" Fijolbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchjjo32.dll" Pmgnan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peaibajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjdmfaj.dll" Fgqcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gknhjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fangfcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcaajnk.dll" Nlhnfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aecdpmbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peaibajp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgcmiclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pogaeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgjieedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbnhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgdlnop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkbimbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgqeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfookk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbkaoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afggdp32.dll" Qfedhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaoaafli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmpiog.dll" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koocqj32.dll" Fgffck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckdcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feklja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabkfhch.dll" Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjncbgq.dll" Dnonjqdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghmohcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddifg32.dll" Hiphmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmcao32.dll" Kpkocpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memchb32.dll" Nmmgafjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpfopf.dll" Ojnelefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfbdje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpkiefl.dll" Mhmfgdch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afjncabj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blklfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckbccnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadllf32.dll" Degqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjgehii.dll" Nbaafocg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2396 2296 b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe 29 PID 2296 wrote to memory of 2396 2296 b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe 29 PID 2296 wrote to memory of 2396 2296 b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe 29 PID 2296 wrote to memory of 2396 2296 b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe 29 PID 2396 wrote to memory of 2416 2396 Afkccffq.exe 30 PID 2396 wrote to memory of 2416 2396 Afkccffq.exe 30 PID 2396 wrote to memory of 2416 2396 Afkccffq.exe 30 PID 2396 wrote to memory of 2416 2396 Afkccffq.exe 30 PID 2416 wrote to memory of 2772 2416 Aocgll32.exe 31 PID 2416 wrote to memory of 2772 2416 Aocgll32.exe 31 PID 2416 wrote to memory of 2772 2416 Aocgll32.exe 31 PID 2416 wrote to memory of 2772 2416 Aocgll32.exe 31 PID 2772 wrote to memory of 2736 2772 Adbmjbif.exe 32 PID 2772 wrote to memory of 2736 2772 Adbmjbif.exe 32 PID 2772 wrote to memory of 2736 2772 Adbmjbif.exe 32 PID 2772 wrote to memory of 2736 2772 Adbmjbif.exe 32 PID 2736 wrote to memory of 2756 2736 Aqljdclg.exe 33 PID 2736 wrote to memory of 2756 2736 Aqljdclg.exe 33 PID 2736 wrote to memory of 2756 2736 Aqljdclg.exe 33 PID 2736 wrote to memory of 2756 2736 Aqljdclg.exe 33 PID 2756 wrote to memory of 2640 2756 Bfkobj32.exe 34 PID 2756 wrote to memory of 2640 2756 Bfkobj32.exe 34 PID 2756 wrote to memory of 2640 2756 Bfkobj32.exe 34 PID 2756 wrote to memory of 2640 2756 Bfkobj32.exe 34 PID 2640 wrote to memory of 1748 2640 Beplcfmd.exe 35 PID 2640 wrote to memory of 1748 2640 Beplcfmd.exe 35 PID 2640 wrote to memory of 1748 2640 Beplcfmd.exe 35 PID 2640 wrote to memory of 1748 2640 Beplcfmd.exe 35 PID 1748 wrote to memory of 1404 1748 Bgqeea32.exe 36 PID 1748 wrote to memory of 1404 1748 Bgqeea32.exe 36 PID 1748 wrote to memory of 1404 1748 Bgqeea32.exe 36 PID 1748 wrote to memory of 1404 1748 Bgqeea32.exe 36 PID 1404 wrote to memory of 2688 1404 Bgcbja32.exe 37 PID 1404 wrote to memory of 2688 1404 Bgcbja32.exe 37 PID 1404 wrote to memory of 2688 1404 Bgcbja32.exe 37 PID 1404 wrote to memory of 2688 1404 Bgcbja32.exe 37 PID 2688 wrote to memory of 1296 2688 Cnogmk32.exe 38 PID 2688 wrote to memory of 1296 2688 Cnogmk32.exe 38 PID 2688 wrote to memory of 1296 2688 Cnogmk32.exe 38 PID 2688 wrote to memory of 1296 2688 Cnogmk32.exe 38 PID 1296 wrote to memory of 2804 1296 Cghkepdm.exe 39 PID 1296 wrote to memory of 2804 1296 Cghkepdm.exe 39 PID 1296 wrote to memory of 2804 1296 Cghkepdm.exe 39 PID 1296 wrote to memory of 2804 1296 Cghkepdm.exe 39 PID 2804 wrote to memory of 1240 2804 Cpcpjbah.exe 40 PID 2804 wrote to memory of 1240 2804 Cpcpjbah.exe 40 PID 2804 wrote to memory of 1240 2804 Cpcpjbah.exe 40 PID 2804 wrote to memory of 1240 2804 Cpcpjbah.exe 40 PID 1240 wrote to memory of 1772 1240 Cpgieb32.exe 41 PID 1240 wrote to memory of 1772 1240 Cpgieb32.exe 41 PID 1240 wrote to memory of 1772 1240 Cpgieb32.exe 41 PID 1240 wrote to memory of 1772 1240 Cpgieb32.exe 41 PID 1772 wrote to memory of 2392 1772 Dibjcg32.exe 42 PID 1772 wrote to memory of 2392 1772 Dibjcg32.exe 42 PID 1772 wrote to memory of 2392 1772 Dibjcg32.exe 42 PID 1772 wrote to memory of 2392 1772 Dibjcg32.exe 42 PID 2392 wrote to memory of 1152 2392 Dhggdcgh.exe 43 PID 2392 wrote to memory of 1152 2392 Dhggdcgh.exe 43 PID 2392 wrote to memory of 1152 2392 Dhggdcgh.exe 43 PID 2392 wrote to memory of 1152 2392 Dhggdcgh.exe 43 PID 1152 wrote to memory of 1948 1152 Ddqeodjj.exe 44 PID 1152 wrote to memory of 1948 1152 Ddqeodjj.exe 44 PID 1152 wrote to memory of 1948 1152 Ddqeodjj.exe 44 PID 1152 wrote to memory of 1948 1152 Ddqeodjj.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe"C:\Users\Admin\AppData\Local\Temp\b218bdd20fc0b32def32dae8005c60fa3ce01e72afe51e6f1ffa1635d6ae7484.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Afkccffq.exeC:\Windows\system32\Afkccffq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Cpcpjbah.exeC:\Windows\system32\Cpcpjbah.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Dibjcg32.exeC:\Windows\system32\Dibjcg32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Dhggdcgh.exeC:\Windows\system32\Dhggdcgh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Dpgedepn.exeC:\Windows\system32\Dpgedepn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Fhnjdfcl.exeC:\Windows\system32\Fhnjdfcl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Fghppa32.exeC:\Windows\system32\Fghppa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Gcankb32.exeC:\Windows\system32\Gcankb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Gmnlog32.exeC:\Windows\system32\Gmnlog32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Gnbelong.exeC:\Windows\system32\Gnbelong.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Hcajjf32.exeC:\Windows\system32\Hcajjf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Imcaijia.exeC:\Windows\system32\Imcaijia.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ihooog32.exeC:\Windows\system32\Ihooog32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe35⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe36⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Jdjioh32.exeC:\Windows\system32\Jdjioh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Jmbnhm32.exeC:\Windows\system32\Jmbnhm32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe39⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe41⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe42⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Kloqiijm.exeC:\Windows\system32\Kloqiijm.exe43⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe44⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe45⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe46⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe47⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe48⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe51⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Lobbpg32.exeC:\Windows\system32\Lobbpg32.exe53⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe54⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe55⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe56⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe57⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe61⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe64⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe65⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe66⤵PID:580
-
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe69⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe70⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe71⤵PID:2152
-
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe72⤵PID:2628
-
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe73⤵PID:2912
-
C:\Windows\SysWOW64\Oelcho32.exeC:\Windows\system32\Oelcho32.exe74⤵PID:2616
-
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe75⤵PID:2604
-
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe76⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe78⤵PID:2116
-
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe80⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe82⤵PID:2380
-
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe83⤵PID:2356
-
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe85⤵PID:368
-
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe86⤵PID:872
-
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe87⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe88⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe89⤵PID:2244
-
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe90⤵PID:2644
-
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe91⤵PID:3056
-
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe92⤵
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe94⤵PID:2040
-
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe95⤵PID:840
-
C:\Windows\SysWOW64\Aodqok32.exeC:\Windows\system32\Aodqok32.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe97⤵
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe98⤵PID:2496
-
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe99⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe100⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Ckbccnji.exeC:\Windows\system32\Ckbccnji.exe101⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Cfghagio.exeC:\Windows\system32\Cfghagio.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe103⤵PID:2816
-
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe104⤵PID:2336
-
C:\Windows\SysWOW64\Cacegd32.exeC:\Windows\system32\Cacegd32.exe105⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Cafbmdbh.exeC:\Windows\system32\Cafbmdbh.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Clkfjman.exeC:\Windows\system32\Clkfjman.exe108⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe109⤵PID:2236
-
C:\Windows\SysWOW64\Dgbgon32.exeC:\Windows\system32\Dgbgon32.exe110⤵PID:1884
-
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe111⤵PID:1740
-
C:\Windows\SysWOW64\Dfgdpj32.exeC:\Windows\system32\Dfgdpj32.exe112⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Dckdio32.exeC:\Windows\system32\Dckdio32.exe113⤵PID:912
-
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe114⤵PID:2980
-
C:\Windows\SysWOW64\Dbqajk32.exeC:\Windows\system32\Dbqajk32.exe115⤵PID:2648
-
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe117⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Ebekej32.exeC:\Windows\system32\Ebekej32.exe118⤵PID:1804
-
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe119⤵PID:2992
-
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe120⤵PID:2428
-
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe121⤵
- Modifies registry class
PID:3024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-